WordPress.org

Making WordPress.org

Opened 3 weeks ago

Closed 3 weeks ago

Last modified 2 weeks ago

#4579 closed defect (wontfix)

Requests to http://api.wordpress.org URLs should 301 to the HTTPS equivalent

Reported by: jonoaldersonwp Owned by:
Milestone: Priority: low
Component: API Keywords:
Cc:

Description

HTTPS is available here, but not enforced. This should be resolved for security + performance + quality reasons.

Change History (2)

#1 @Otto42
3 weeks ago

  • Resolution set to wontfix
  • Status changed from new to closed

Those don't redirect on purpose. Old versions of WordPress, pre-3.7, didn't have a copy of the cacert.pem file, so https requests would often fail because they couldn't do certificate verification. Forcing a redirect on http requests here would have the effect of simply blocking the requests from older WordPress installs.

If we want to block old installs and stop supporting them, fine, but we should do that intentionally, not by accident.

#2 @SergeyBiryukov
2 weeks ago

There were also cases where wp_http_supports( array( 'ssl' ) ) returns true but in reality the site can't connect because of cURL/certifcate issues, see #WP25716 or #WP26010 for example.

Note: See TracTickets for help on using tickets.